EP0695056A2 - Procédé de portage d'une information secrête, de génération d'une signature numérique et de réalisation d'une certification dans un système de communication ayant une pluralité de dispositifs de traitement d'information et système de communication utilisant un tel procédé - Google Patents

Procédé de portage d'une information secrête, de génération d'une signature numérique et de réalisation d'une certification dans un système de communication ayant une pluralité de dispositifs de traitement d'information et système de communication utilisant un tel procédé Download PDF

Info

Publication number
EP0695056A2
EP0695056A2 EP95305211A EP95305211A EP0695056A2 EP 0695056 A2 EP0695056 A2 EP 0695056A2 EP 95305211 A EP95305211 A EP 95305211A EP 95305211 A EP95305211 A EP 95305211A EP 0695056 A2 EP0695056 A2 EP 0695056A2
Authority
EP
European Patent Office
Prior art keywords
secret
information
apparatuses
authentication
sharing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
EP95305211A
Other languages
German (de)
English (en)
Other versions
EP0695056B1 (fr
EP0695056A3 (fr
Inventor
José Manuel Cerecedo Lopez
Keiichi Iwamura
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Canon Inc
Original Assignee
Canon Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from JP17848394A external-priority patent/JP3604737B2/ja
Priority claimed from JP00818495A external-priority patent/JP3610106B2/ja
Priority claimed from JP7008185A external-priority patent/JPH08204697A/ja
Application filed by Canon Inc filed Critical Canon Inc
Publication of EP0695056A2 publication Critical patent/EP0695056A2/fr
Publication of EP0695056A3 publication Critical patent/EP0695056A3/fr
Application granted granted Critical
Publication of EP0695056B1 publication Critical patent/EP0695056B1/fr
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3255Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using group based signatures, e.g. ring or threshold signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/60Digital content management, e.g. content distribution
    • H04L2209/601Broadcast encryption

Definitions

  • the present invention relates to a method whereby secret information, which is carried in one of the information processing apparatuses (hereafter referred to as a "subscriber") that are joined together by communication paths in a communication system, can be shared among the subscribers, and to a communication system that employs such a method. Further, the present invention relates to a method for sharing or generating a digital signature for a group that is composed of several of a plurality of subscribers, and to a communication system that employs such a method.
  • the present invention pertains to a method for sharing, with a plurality of subscribers, a certification function by which a receiver of information can verify that the information has been transmitted from a correct transmitter (has not been altered by another apparatus along the way), and to a communication system that employs such a method.
  • a conventional a coding technique that generates increased redundancy data is one of the known techniques that improve the reliability of information communication systems.
  • Error correction codes in particular, by which errors that have occurred along a communication path can either be detected or corrected, are frequently employed to efficiently implement highly reliable communication systems.
  • A. Shamir proved that a coding technique that increases redundancy by sharing confidential information is effective as a means, in a communication system, for improving reliability while at the same time providing protection for secret information (see “How to Share a Secret", communications of the ACM, Vol. 22, 11, 1979).
  • the protection of shared secret information does not have to rely on only the physical security that is provided at a single specific subscriber, and it is possible to increase reliability (fault tolerance can be achieved) such as is described by the following two definitions.
  • the sharing and the holding of certain secret information x by all the subscribers means that individual subscribers i generate information segments, which together correspond to the secret information x, and distribute the generated information segments to the other subscribers in order to satisfy the following requirements (a) and (b).
  • M. Ben-Or, S. Goldwasser, and A. Wigderson described a conventional error correction coding technique that can satisfactorily provide, for a communication that has a secret communication channel, a verifiable secret sharing system (when threshold value t satisfies t ⁇ n/3) that can cope with subscribers that have any errors as long as the number of such subscribers is smaller than one third of the total subscribers (see Completeness.Theorems for Non-Cryptographic Fault-Tolerant Distributed Computation", ACM STOC 1988).
  • the non-dialogue cryptological method (2) calculation for the one-way function of a special order must be performed n times for the n secret portions. Especially when the secret sharing process is employed as a partial process for safely executing a sharing calculation, the number of secret sharing processes that must be performed is increased (e,g., is on the order of n for sharing multiplication). The total number of calculations will be inpractically huge.
  • the dialoque method (1) requires a great amount of communication, while the cryptological method (2) requires a huge number of calculations.
  • the cryptological technique is effective for implementing not only the function for keeping information secret, but also a function for verifying received information and a function, called a "digital signature", for verifying for a third person that the received information has been transmitted from a designated apparatus.
  • RSA cryptosystem is one of public-key cryptosystems (for an example, see "A Method For Obtaining Digital Signatures and Public-Key Cryptosystems", R. Rivest, A. Shamir, and L. Adleman, Communications of the ACM, 21, 2, 1978, pp. 120-125, or see USP 4,405,828).
  • the fundamental portion of this sharing digital signature method is to share secret information in a communication system that consists of the above described plurality of subscribers so as to satisfy the previously mentioned requirements (a) and (b).
  • the sharing-type digital signature method proposed by Y. Desmedt and Y. Frankel, that employs the RSA cryptosystem based on the secret sharing method satisfies the following requirements (I) and (II).
  • the enormous amount of communications is required for the sharing digital signature system that is based on the dialogue type verifiable secret sharing method (1) by employing the conventional technique, while the enormous amount of calculations is required for the sharing digital signature system that is based on the non-dialogue verifiable secret sharing method (2) by employing the conventional technique.
  • a person who requests a certification is called a testifier
  • a person who provides a testifier an authentication is called an authenticator.
  • an authentication server manages secret information for all the apparatuses that constitute a communication system
  • an included authentication server that for physical reasons is fully reliable is also required (likewise, for the public-key cryptological method, a concentration control center that manages all public keys is required). Therefore, to ensure security, an authentication server must be strictly controlled by locating it in a locked room that no one is allowed to enter without permission.
  • the authentication server can not be relied on because of the occurrence of a failure or the commission of an unauthorized act, fault tolerance is so reduced that the security of the complete system breaks down.
  • the present invention is so positioned that it lies in the middle between the dialogue type system (1) and the non-dialogue type system (2), employs a verifiable secret sharing method by which both the amount of computation and the amount of communication required constitute a practical order of magnitude, and proposes a shared digital signature system (a system that may not generate a signature when the number of subscribers that perform unauthorized acts is equal to or greater than a threshold value, but can identify such subscribers), which is positioned between the requirement (I) (a system that may not generate a signature when there is a subscriber who performs an unauthorized act) and the requirement (I') (a system that can generate a signature even when the number of subscribers who perform unauthorized acts is equal to or lower than a specific threshold value).
  • a shared digital signature system a system that may not generate a signature when the number of subscribers that perform unauthorized acts is equal to or greater than a threshold value, but can identify such subscribers
  • the present invention that achieves these objectives relates to an authentication method for a communication system, wherein a plurality of apparatuses are connected and wherein apparatuses among those that belong to a specific group commonly provide authentication, the authentication method comprising the steps of: transmitting an authentication request message, which includes identifiers for a testifier and for an authenticator, from an apparatus of the testifier, who transmits a request for authentication from an apparatus of the authenticator, to each of the apparatuses of the specific group; generating an authentication element, which is encrypted with a secret key that is related to the authenticator, that is based on the authentication request message by employing a cooperative effort involving all of the apparatuses that belong to the specific group, and generating an authentication message by encrypting the authentication element with a secret key that is related to the testifier; transmitting the authentication message from each of the apparatuses of the specific group to the apparatus of the testifier; decrypting the authentication message at the apparatus of the testifier upon receipt of the authentication message, and transmitting the de
  • Fig. 3 is a diagram showing the relationship between secret s and partial matrix S.
  • R. Merkel has proposed a one-way hash function that uses block cryptology, such as DES (Data Encryption Standard) (see “One-Way Hash Functions And DES,” Advances in Cryptology - Crypto '89, Lecture Notes In Computer Science, Vol. 435, Springer-Verlag, 1990).
  • block cryptology such as DES (Data Encryption Standard)
  • h denotes the one-way hash function that is efficient (includes a high-speed calculation method).
  • the hash function (see aforementioned "Modern Cryptological Theory") that is formed by a high-speed block encryption function is employed, for example.
  • the probability that verification of the secret sharing processing will fail is 2 ⁇ (-k'(t+1)) according to Cut and Choose processing (see the aforementioned "Verifiable Secret Sharing And Multiparty Protocols With Honest Majority," T. Rabin and M. Ben-Or).
  • Each subscriber i (i - 1, . . ., n) employs the random number generation unit 23 to broadcast k' bits (information B2.i) that are randomly selected (processing R2.i).
  • the randomly selected k' bits are each called Bi_1, . . ., Bi_k', and the bits to the total n subscribers are each called B1, . . ., Bk.
  • s'_c(n) are acquired for the respective rows and columns by interpolation of polynomials. Further, the results s'(r) and s'(c) are acquired by the interpolation of polynomials for the above values. The subscriber i verifies whether or not the two of these results are equal and all the elements of these column vectors are correct values for the polynomial that corresponds to the values s'_c(1), . . ., s'_c(n) and s'_r(1), . . ., s'_r(n).
  • the number of sets that correspond to different correct partial matrixes is t+1 at the maximum, and the partial matrixes are called S_1, . . ., S_T (wherein T ⁇ t+1).
  • T 1
  • a non-corresponding column vector represents a subscriber that performed an unauthorized act.
  • an amount of communication on the order of n ⁇ 2k (wherein n is the number of subscribers and k is a safety parameter) is required, while an amount of communication on the order of n ⁇ 3k ⁇ 2 is required for the conventional dialogue type method (1) described above.
  • only a one time calculation of the one-way hash function is required in this embodiment, while calculations on the order of n of a specific one-way function is required for the conventional non-dialogue type method (2).
  • the verifiable secret sharing process and the secret decryption process, as in Embodiment 1, are employed as partial processing for a conventional safe shared computation method (see, for example, "Secure Multiparty Protocols And Zero-Knowledge Proof Systems Tolerating A Faulty Minority", D. Beaver, Journal Of Cryptology, 1991, or "A Note On Multiparty Protocols To Compute Multiplicative Inverses", M. Cerecedo, T. Matsumoto, and H. Imai, SCIS '94, Biwako, Japan, January 1994), so that a more efficient shared operation processing system can be provided.
  • the elements of the column vectors X_c(i) and Y_c(i) and the elements of secret values x_r(i) and y_r(i) (see Embodiment 1) of the partial matrix that each subscriber holds are added. It is apparent from the definition of a partial matrix (the elements of the rows and columns are values of a polynomial) that the addition results X_c(i)+Y_c(i) and x_r(i)+y_r(i) are a column vector and a secret value for a partial matrix relative to x+y.
  • the one-way hash function values x* and y* which are employed to verify an information segment in the secret decryption process, are stored. These values are used as needed when the decryption process is performed on the addition result x+y, and thus partial matrix X+Y that corresponds to the secret x+y is verified.
  • the present invention is not limited to the number of dimensions of the partial matrix described in the above embodiment, and may be a multiple dimensional partial array. Further, a function employed may be a function, other than a one-way hash function, that ensures the acquisition of the one way characteristic. As for the Cut and Choose technique, it is not limited to the procedures specifically explained in Embodiment 1, but may involve the use of any method for verifying propriety without leaking the secret.
  • the amount of communication and calculation can be smaller than those required for the conventional case, for a process, such as a safe sharing operation process, which requires repetitive performance of a secret sharing process, the traffic within a communication system can be reduced, and the communication costs can be decreased because of the small amount of communication, while the processing is performed at high speed because of the small amount of calculation.
  • a method for digital signature shared generation performed by a plurality of subscribers that belong to a group of signers will be described by employing the above described secret sharing method.
  • the information processing apparatus 11 that subscribers in the system use, the broadcast communication channel 12, and the secret communication channels 13 are the same as those in Fig. 1.
  • subscribers A, B, and C consist of a group of signers.
  • the block structure of the information processing apparatus 11 is as shown in Fig. 2.
  • the results acquired by multiplying a by each element of the partial matrix that the subscriber holds are elements of the partial matrix relative to x*a.
  • a digital signature of given message m is generated by the group while being shared as follows.
  • Each subscriber i selects secret element r(i) at random from ⁇ 1, . . ., p-1 ⁇ , and the selection is shared with all the subscribers of the group of signers by performing the above described secret sharing process. Further, each subscriber i calculates g ⁇ (r(i)) mod q (wherein q is a prime number selected in the above described manner), and broadcasts it across the broadcast communication channel.
  • Each subscriber employs, as an input, a value R
  • m obtained by combining a given message m and value R that is acquired in Round 6, and calculates output e h(R
  • m) of the predetermined function h described above. Then, s r+h(R
  • the shared secret s is decrypted by the secret decryption processing for the secret sharing method.
  • a signature for the given message is defined as (R, s).
  • the generated signature is verified by using the public key a and by performing the signature verification processing for the digital signature method.
  • the secret decryption process of the secret sharing method is performed to identify such a subscriber.
  • the elements q_r(i,1), . . ., q_r(i,t) are selected from ⁇ 1, . ., N-1 ⁇ so as to satisfy the following requirements.
  • the elements q_c(j,1), . . ., q_c(j,t) are selected from ⁇ 1, . . ., N-1 ⁇ so as to satisfy the following requirements.
  • both vectors [s_r(1), . . ., s_r(n)] and (s_c(1), . . ., s_c(n)] that have the above values satisfy the following requirements for q_r(1), . . ., q_r(t), q_c(1), . . ., q_c(t), which are from among ⁇ 1, . .
  • the secret sharing process for distributing a secret portion so that the secret element s can be shared and held by all the subscribers who belong to a group of signers, and the secret decryption process for decrypting the thus shared secret or for identifying a subscriber who performs an authorized act (if such an act occurs) are performed in the same manner as the processes (1) and (2) in Embodiment 1 are performed.
  • processing can be provided where the secret element that a certain subscriber in the group of signers holds can be shared and held by all the subscribers in the group.
  • an explanation will be given of processing, of a shared digital signature system, for employing this secret sharing method to generate secret information for a group of signers (which is equivalent to a secret key and which is shared by all the subscribers of the group) and public information for the secret information (which is equivalent to a public key and which is employed for verifying a signature that is generated by the group).
  • Key generation processing see Figs. 13A and 13B.
  • Each subscriber i selects secret element a(i) at random from ⁇ 1, . . ., N-1 ⁇ , and the selection is shared with all the subscribers of the group of signers by performing the above described secret sharing process. Further, each subscriber i calculates a(i) ⁇ l mod N (wherein l is an element selected in the above described manner), and broadcasts it across the broadcast communication channel.
  • a secret key that is obtained through the aboye processing is employed by the group to generate a shared digital signature for a given message m as follows.
  • Each subscriber i selects secret element r(i) at random from ⁇ 1, . . ., N-1 ⁇ , and the selection is shared with all the subscribers of the group of signers by performing the above described secret sharing process. Further, each subscriber i calculates r(i) ⁇ 1 mod N (wherein 1 is an element selected in the above described manner), and broadcasts it across the broadcast communication channel.
  • Each subscriber employs, as an input, a value R
  • m that is obtained by combining a given message m and value R that are acquired in Round 6, and calculates output e h(R
  • m) of the predetermined function h described above. Then, s r*a ⁇ (h(R
  • the shared secret s is decrypted by the secret decryption processing for the secret sharing method.
  • a signature for the given message is defined as (R, s).
  • the generated signature is verified by using the public key a and by performing the signature verification processing for the digital signature method.
  • the secret decryption process of the secret sharing method is performed to identify such a subscriber.
  • Embodiment 1 The method as stated in Embodiment 1 is used as a specific method for sharing a secret element that is selected by a certain subscriber in a group of signers and for holding it by all the subscribers of the group.
  • An explanation will now be given of a process, of a shared digital signature system, for employing the secret sharing method to generate secret information (which is the equivalent of a secret key that is shared by all the subscribers of a group of signers) of the group and public information for the secret information (public information that is equivalent to a public key and that is employed for verifying a generated signature).
  • Each subscriber i selects secret element a(i) at random from ⁇ 1, . . ., p-1 ⁇ , and the selection is shared with all the subscribers of the group of signers by performing the above described secret sharing process. Further, each subscriber i calculates g ⁇ (a(i)) mod q (wherein q is a prime number that is selected in the above described manner), and broadcasts it across the broadcast communication channel.
  • h denotes an efficient one-way hash function as in Embodiment 1.
  • Subscriber d employs the random number generation unit 23 to generate secret element s and partial matrixes for secret elements 11, . . . , 1k that are randomly selected from ⁇ 1, . . ., p-1 ⁇ .
  • One-way hash function values s* for secret values s_r(1), . . . , s_r(n), l1_r(1), . . ., l1_r(n), . . ., lk_r(1), . . . , lk_r(n) are calculated (see Fig. 4).
  • the hash values s* (Bl.d in Fig. 17) are broadcast across the broadcast communication channel to all the subscribers (represented as processing R1.d in Fig. 17).
  • the random number 23 is employed to generate a partial matrix (which is called T(i), Ml(i), . .
  • the hash function values s* for secret values t(i)_r(l), . . ., t(i)_r(n), ml(i)_r(l), . . ., ml(i)_r(n), . . ., mk(i)_r(l), . . ., mk(i)_r(n) are calculated (see Fig. 4).
  • Each subscriber i transmits the column vectors T_c(j), M1_c(j), . .
  • the randomly selected k' bits are each called Bi_1, . . ., Bi_k', and the bits to the total n subscribers are each called B1, . . ., Bk.
  • the information that the subscriber i has broadcasted is represented as B3.i in Fig. 17.
  • a decision message is broadcast by the subscriber d (processing R5.i in Fig. 17).
  • the information that is broadcast by the subscriber i is represented as B5.i in Figs. 17 and 18.
  • each subscriber i broadcasts the partial matrix Mj(i) that is generated by the subscriber i in Round 2. If Bj is 0, the subscriber d broadcasts the result (written as T(i) + Mj(i)), which is obtained by adding each element of the generated partial matrixes T(i) and Mj(i) in the finite set (mod p) (processing R6.i in Fig 18). Further, the subscriber d broadcasts the column vectors from the subscriber i that are determined in Round 5. The information that is broadcast by the subscriber d is represented as B6.i in Fig. 18.
  • Bo is 1, lj_r(o) is decrypted, a column vector below is calculated, and it is verified that the result obtained by calculating the column vector is identical and corresponds to value 0: (lj_r(o)) ⁇ (-1)*Mj(o)_r(i) - X(o)_r(i).
  • the secret element s that a specific subscriber i has selected at random from ⁇ 1, . . ., p-1 ⁇ is verifiably shared, and at the same time, product s*x of the secret s and the previous, verifiably shared secret x is calculated.
  • the calculation process for obtaining a product of two shared secrets x and y by performing the above processing will be described. This process is shown in Fig. 19.
  • product x*y of the two shared secret elements x and y can be shared and calculated by the subscribers that join the group.
  • a digital signature for a given message m is shared and generated by the group as follows. Signature generation processing (see Fig. 20)
  • Each subscriber i selects secret element r(i) at random from ⁇ 1, . . ., p-1 ⁇ , and this selection is shared with all the subscribers of the group of signers by performing the above described secret sharing process. Further, each subscriber i calculates g ⁇ (r(i)) mod q (wherein q is a prime number selected in the above described manner), and broadcasts it across the broadcast communication channel.
  • the shared secret s is decrypted by the secret decryption processing of the secret sharing method.
  • a signature for the given message is defined as (R, s).
  • the generated signature is verified by using the public key a and by performing the signature verification processing for the digital signature method.
  • the secret decryption process of the secret sharing method is performed to identify such a subscriber.
  • the present invention is not limited to the number of dimensions for a partial matrix as is described in the above embodiments 3 to 5, and may be a multiple dimensional partial array.
  • a function employed may be a function, other than a one-way hash function, that ensures the acquisition of the one way characteristic.
  • Cut and Choose technique it is not limited to the procedures specifically explained in Embodiment 1, but may be any method for verifying the propriety without leaking the secret.
  • a shared digital signature method can be provided by which, when the number of correct signers of a group, which consists of a plurality of computers (signers) that are connected via a communication system, are greater than a threshold value t, a signature can be generated by the group, and when a signer performs an unauthorized act, such signer can be identified.
  • the method in this embodiment needs only an efficient amount of communication and calculation.
  • the method of the present invention is safer because by this method an offending signer can be identified.
  • the amount of calculation that is required for each signer who joins a group of signers is assumed to be substantially the same as that required for the latter conventional digital signature method.
  • the amount of communication required for each signer is 1*n ⁇ 2*k order (wherein n denotes the number of subscribers, k denotes a safety parameter, and 1 denotes the length of an integer employed), and is more practical than that required for the former conventional digital signature method.
  • the required amount of communication and calculation can be reduced by employing a signature generation method of this embodiment.
  • the traffic in a communication system and communication costs can be reduced, and because of a small amount of calculation, high speed processing can be performed.
  • Fig. 21 is a diagram illustrating a communication system, according to one embodiment of the present invention, that has information processing apparatuses that share and perform authentication.
  • Apparatuses 14 are apparatuses AS(1) . . ., AS (k) (hereafter called as "members") that are shared authentication servers.
  • the number of the members in this case is defined as a comparatively small number, 20 or less, for efficiency.
  • the number of the total apparatuses that constitute the communication system may be considerably greater than the number of members, and are connected to the members across the secret communication channels 13. Communication between the apparatuses is performed across a normal (nonreliable) communication channel 16.
  • a request for service e.g., a file transfer, a remote procedure call, etc.
  • the apparatus that makes a request is called a "client”
  • the apparatus that receives the request and provides the service is called a "server”.
  • apparatuses 15 are apparatuses C/S(1), . . ., C/S(n) that serve as such a client and a server.
  • a member can be a client or a server.
  • the client and the server are employed for mutual authentication and the authentication of the communication contents. Further, the client and the server share a secret key for performing secret communication.
  • the authentication server in this embodiment is more reliable than a conventional authentication server.
  • VSS Very Secret Sharing
  • the elements of the column vectors X_c(i) and Y_c(i) and the elements of secret values x_r(i) and y_r(i) of the partial matrix that each subscriber holds are added. It is apparent from the definition of a partial matrix (the elements of the rows and columns are values of a polynomial) that the addition results X_c(i)+Y_c(i) and x_r(i)+y_r(i) are a column vector and a secret value for a partial matrix relative to x+y.
  • the one-way hash function values x* and y* which are employed to verify an information segment in the secret decryption process, are stored. These values are used as needed when the decryption process is performed on the addition result x+y, and the thus partial matrix X+Y that corresponds to the secret x+y is verified.
  • a secret can be shared among the members by using a verifiable method.
  • the protocol is realized as is shown in Figs. 23A and 23B.
  • Each member AS(i) generates pseudo-random secret ri that is represented as an element in a finite set (processing 81).
  • the pseudo-random secret r is a number that anybody can not know unless the majority of the members plot together.
  • the shared pseudo-random secret is generated in the above described manner, and the generated pseudo-random secret can be employed as a conversation key for a testifier and an authenticator.
  • Fig. 24A is a diagram for explaining this protocol.
  • the VSS protocol is executed in finite set GF(2 L ).
  • Secret portions m1(i), . ., mN(i) are assumed to be secretly shared among the members AS(i).
  • secret key pk that has the same length as the message m is also divided into N blocks, pk1, . . ., pkN that each have the length L.
  • These blocks are secretly shared among the above members, so that the members AS(i) have the individual secret portions pk(i),. . ., pkN(i).
  • c1(i), . . . cN(i) correspond to the secret portions of c1, . . ., cN that are obtained by dividing encrypted statement c into N blocks each length L. Therefore, the encrypted statement c is decrypted by performing the previously mentioned secret decryption process, and becomes public.
  • the apparatuses of the communication system that have secret keys pk can decrypt the original message m from the public encrypted statement c. It should be noted that the secret key pk is used only once and never used again.
  • the secret key pk might be known to the third person by subtracting a message m from the encrypted statement c that has become public. Therefore, the protocol as is shown in Fig. 24B is employed for the public data.
  • the message m is formed of N blocks m1, . . ., mN that each have length L.
  • the contents of the message m are public data that are known to members.
  • the secret key pk is twice as long as the message m, and is divided into 2N blocks pk1_1, pk1_2, . . ., pkN_1, pkN_2 of the length L.
  • the pk is secretly shared among the members, and the members AS(i) individually hold the secret portions pk1_1(i), pk1_2(i), . . . pkN_1(i), pkN_2(i).
  • each member AS(i) performs the following arithmetic operation in a given finite set for each block.
  • * denotes multiplication and + denotes addition:
  • cl(i), . . ., cN(i) corresponds to the secret portions of c1, . . ., cN, which are obtained by dividing the encrypted statement c into N blocks for each length L. Therefore, the encrypted statement c is decrypted by performing the previously described secret decryption processing, and becomes public.
  • the apparatuses of the communication system that use the secret key in common disassemble the secret key pk and the encrypted statement c for each length L, and performs arithmetic operation of pkj_1, pkj_2 and cj(cj-pkj_2)/pkj_1 to obtain mj.
  • the secret key pk is used only once and never used again also in this case.
  • the authentication with a common key is realized using the above protocols by a shared authentication server, instead of a conventional centralized authentication server, as follows.
  • the authentication protocol includes communication through which a testifier receives an authentication message from a shared authentication server and communication through which a testifier provides authentication data for an authenticator. This is called "on-line processing.”
  • off-line processing As the premise for the performance of the on-line process, a secret key sharing process between the shared authentication server and an apparatus that serves as a testifier or an authenticator and a conversation key generation process by the shared authentication server are necessary. This is called "off-line processing.”
  • the off-line processing may be performed each time a secret key or a conversation key is necessary during the on-line processing, but the time required for on-line processing and the communication period are extended.
  • Information that must be shared in advance among the members that are the shared authentication servers is information that is related to the secret key for all the apparatuses.
  • the secret key that is employed between a testifier and the shared authentication server must be disposed after the encryption or decryption of the message is completed. Thus, many keys have to be generated. This process is performed by the following secret key delivery processing.
  • the generation process of shared pseudo-random secret that is employed as a conversation key between a testifier and an authenticator is also performed during the off-line processing as follows.
  • Apparatus j of the communication system that requests authentication performs the secret sharing process in advance to share, among the members, sufficiently large number M of pseudo random secrets pkj_1, . . ., pkj_M, which are arbitrarily selected.
  • the members AS(i) thus receive the secret portions, pkj_1(i), . . ., pkj_M(i) of the pseudo-random secret. If the apparatus j has not correctly shared the secret, merely the apparatus j does not receive authentication service using its own secret key pkj. Therefore, the post processing for verifying whether or not the shared information is correct is not necessarily performed in this case. Further, a broadcast communication channel across which all the members verify that j does not make a false statement is not necessarily provided between the apparatus j and the members (see Fig. 27).
  • shared pseudo-random secrets r1, . . ., rQ that are conversation keys employed between testificrs and authenticators are generated during the off-line processing and held in a list.
  • shared pseudo-random secret as is described in the shared pseudo-random secret generation protocol, all the members must perform the sharing processing for pseudo-random secret. However, since all the members do not have to perform that processing at the same time, they may perform the processing when no processing is performed and the communication system is not unused, and share the generated pseudo-random secret to the other members. Then, each member holds, as a list, the shared pseudo-random secret r1(j), . . ., rQ(j) together with the index that indicates its position for use.
  • the on-line authentication protocol for acquiring, from a shared authentication server, an authentication element that client P (testifier) of the communication system transmits to server V (authenticator) will be performed by the following steps S1 thorough S4.
  • Step 1 The client P transmits, across a normal communication channel to a member that is the shared authentication server, a request message 101 (see Fig. 28A) that includes information ⁇ id_P, id_V, s), which is indicated as AUTH_REQUEST.
  • id_P denotes the client P
  • id_V denotes data that specifies server V
  • s denotes a random number that is arbitrarily selected.
  • Step 2 A member that has received AUTH_REQUEST performs the procedures at the following steps S21 through S26 (see Fig. 28B).
  • Step 21 A time stamp that indicates the current time is broadcast and the common time is confirmed.
  • Step 22 While the shared secret key encryption protocol for the shared secret data is employed, pseudo-random secrets rz, . . ., rz+a-1 that are used as conversation keys ck1, . . ., cka between a testifier and an authenticator are encrypted by defining pkV_x, . . ., pkV_x+a-1 as secret encryption keys.
  • a denotes the number of pseudo-random secrets
  • z and x denote indexes that represent the beginnings of a pseudo-random list and a secret key pk list.
  • the results obtained by encryption are CT_1, . . ., CT_a.
  • Step S24 The shared secret key encryption protocol for the shared secret data is employed, and the encrypted statements CT_1, . . ., CT_a+b, for an authenticator, that is obtained at step S23 and the common keys ck1, . . ., cka, which are employed at step S22, are encrypted by employing 2a+b secret keys pkP_y, . . ., pkP_y+2a+b as encryption keys.
  • the thus encrypted results are CCT_1, . . ., CCT_2a+b.
  • Step S25 The shared secret key encryption protocol for public data is employed, and pseudo-random secret s, which has become public at step S1, and id_V, which is the identifier of an authenticator, are encrypted by 2c secret keys pkP_y, . . ., pkP_y+2c from the secret key list that is employed at step S24.
  • the thus encrypted results are CCT_2a+b+1, . . ., CCT_2a+b+c.
  • These results are added to the result at step S24 and the final results are CCT_1, . . ., CCT_2a+b+c.
  • Step S26 The secret decryption processing is performed to decrypt the secretly shared CCT_1, . . ., CCT_2a+b+c.
  • the result obtained by decryption is transmitted as an authentication message 102, together with the index y before it is updated at step S24,, across the normal communication channel to the client P who is a testifier.
  • the testifier P refers to received index Y and secret keys pkP_y, ..., pkP_y+2a;b;2c, which are included in his secret key list, and employs the shared secret key decryption protocol for public data to decrypt pseudo-random secret ck from the received data CCT_1, . . ., CCT_2a+b+c. Then, the testifier P verifies that the decrypted s and id_V are correct. When they are verified, the decrypted pseudo-random secret ck is stored as a common key with the authenticator, and transmits a decrypted authentication element 103 to the authenticator V (see Fig. 29A).
  • Step 4 By referring to index x, which is included in the authentication element, and secret keys pkV_y, ..., pkV_y+a;2b, which are included in his secret key list, the authenticator V employs the shared secret key decryption protocol for public data to decrypt the time stamp and the identirier id_P of the testifier from the received authentication element, and employs the shared secret key decryption protocol for shared secret data to decrypt pseudo-random secret ck. The authenticator then verifies that the decrypted time stamp and the decrypted identifier id_P are correct. When they are verified, the authentication is given to the testifier P, and the decrypted pseudo-random secret ck is stored as a common key with the authenticator (see Fig. 29B).
  • Embodiment 6 when an offending person performs wiretapping on an authentication element that a testifier transmits to an authenticator and stores the authentication element, the offending person submits the authentication element to the authenticator and can request the authenticator for a service that the testifier does not intend to. Therefore, the testifier becomes confused. This act is called a replay attack.
  • time information that is exchanged is additionally provided to an authentication element that the testifier transmits to the authenticator at step S3 of the on-line processing in Embodiment 6.
  • These procedures are shown in Figs. 30A and 30B.
  • the processing in this embodiment is the same as that in Embodiment 6, except that the procedures at steps S3' and S4' are performed in addition to the procedures at steps S3 and S4 of the on-line processing. Only the procedures at steps S3' and S4' will be explained.
  • Step S3' After the procedure at step S3 in Embodiment 6 is performed, the testifier employs the obtained conversation key ck and encrypts new time stamp T2 and identifier id_P of the testifier to obtain ⁇ T2, id_P ⁇ ck. The testifier transmits to the authenticator ⁇ T2, id_P) ⁇ ck with the authentication element.
  • Step S4' The authenticator performs the procedures at step S4 in Embodiment 6 to decrypt the authentication element, and employs the obtained conversation key ck to decrypt accessory message ⁇ T2, id_P ⁇ ck.
  • the authenticator then verifies the time stamp T2 and the identifier id_P of the testifier, and when T2 is the old one, he does not accept the request for a service.
  • the shared authentication protocol By the shared authentication protocol, the same authentication function as that of the authentication protocol that is provided by a conventional centralized management is provided for a testifier and an authenticator, and high fault tolerance is realized.
  • the on-line processing of the shared authentication protocol can be provided with the same amount of calculation as required for a conventional authentication protocol.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
EP95305211A 1994-07-29 1995-07-26 Procédé de portage d'une information secrête, de génération d'une signature numérique et de réalisation d'une certification dans un système de communication ayant une pluralité de dispositifs de traitement d'information et système de communication utilisant un tel procédé Expired - Lifetime EP0695056B1 (fr)

Applications Claiming Priority (9)

Application Number Priority Date Filing Date Title
JP17848394A JP3604737B2 (ja) 1994-07-29 1994-07-29 複数の情報処理装置を有する通信システムにおける秘密情報処理方法及びその通信システム
JP178483/94 1994-07-29
JP17848394 1994-07-29
JP8184/95 1995-01-23
JP818495 1995-01-23
JP818595 1995-01-23
JP00818495A JP3610106B2 (ja) 1995-01-23 1995-01-23 複数の装置を有する通信システムにおける認証方法
JP8185/95 1995-01-23
JP7008185A JPH08204697A (ja) 1995-01-23 1995-01-23 複数の装置を有する通信システムにおける署名生成方法

Publications (3)

Publication Number Publication Date
EP0695056A2 true EP0695056A2 (fr) 1996-01-31
EP0695056A3 EP0695056A3 (fr) 1997-05-21
EP0695056B1 EP0695056B1 (fr) 2005-05-11

Family

ID=27277924

Family Applications (1)

Application Number Title Priority Date Filing Date
EP95305211A Expired - Lifetime EP0695056B1 (fr) 1994-07-29 1995-07-26 Procédé de portage d'une information secrête, de génération d'une signature numérique et de réalisation d'une certification dans un système de communication ayant une pluralité de dispositifs de traitement d'information et système de communication utilisant un tel procédé

Country Status (7)

Country Link
US (1) US5708714A (fr)
EP (1) EP0695056B1 (fr)
KR (1) KR0148300B1 (fr)
AT (1) ATE295644T1 (fr)
CA (1) CA2154970C (fr)
DE (1) DE69534192T2 (fr)
HK (1) HK1011809A1 (fr)

Families Citing this family (72)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6005938A (en) * 1996-12-16 1999-12-21 Scientific-Atlanta, Inc. Preventing replay attacks on digital information distributed by network service providers
US6055518A (en) * 1996-02-01 2000-04-25 At&T Corporation Secure auction systems
US6671675B2 (en) * 1996-02-27 2003-12-30 Canon Kabushiki Kaisha Metering the flow of electronic information
US6226383B1 (en) * 1996-04-17 2001-05-01 Integrity Sciences, Inc. Cryptographic methods for remote authentication
US6041408A (en) * 1996-06-28 2000-03-21 Hitachi, Ltd. Key distribution method and system in secure broadcast communication
JP3526524B2 (ja) * 1996-10-31 2004-05-17 松下電器産業株式会社 一方向データ変換装置及び機器認証システム
US5956402A (en) * 1997-03-07 1999-09-21 At&T Corp. Passwordless secure and efficient remote data update
US5953424A (en) * 1997-03-18 1999-09-14 Hitachi Data Systems Corporation Cryptographic system and protocol for establishing secure authenticated remote access
US6035041A (en) * 1997-04-28 2000-03-07 Certco, Inc. Optimal-resilience, proactive, public-key cryptographic system and method
US6246771B1 (en) * 1997-11-26 2001-06-12 V-One Corporation Session key recovery system and method
JPH11225138A (ja) * 1998-02-06 1999-08-17 Matsushita Electric Ind Co Ltd 暗号処理装置、暗号処理方法及びその方法を記録した記録媒体
US20050049082A1 (en) * 1998-03-18 2005-03-03 Callaway Golf Company Golf ball
RU2153191C2 (ru) 1998-09-29 2000-07-20 Закрытое акционерное общество "Алкорсофт" Способ изготовления вслепую цифровой rsa-подписи и устройство для его реализации (варианты)
WO2000019652A1 (fr) * 1998-10-01 2000-04-06 University Of Maryland Generation et gestion des cles partagees reparties au moyen de cles fractionnaires
RU2157001C2 (ru) 1998-11-25 2000-09-27 Закрытое акционерное общество "Алкорсофт" Способ проведения платежей (варианты)
KR100545608B1 (ko) * 1999-03-25 2006-01-25 유티스타콤코리아 유한회사 병렬 분산구조를 갖는 데이터 획득 시스템
TW518497B (en) * 1999-03-30 2003-01-21 Sony Corp Information processing system
US7065216B1 (en) 1999-08-13 2006-06-20 Microsoft Corporation Methods and systems of protecting digital content
US6886098B1 (en) * 1999-08-13 2005-04-26 Microsoft Corporation Systems and methods for compression of key sets having multiple keys
WO2001015162A2 (fr) * 1999-08-13 2001-03-01 Microsoft Corporation Procedes et systemes de protection des contenus numeriques
US20020078358A1 (en) * 1999-08-16 2002-06-20 Neff C. Andrew Electronic voting system
US6920221B1 (en) 1999-08-29 2005-07-19 Intel Corporation Method and apparatus for protected exchange of status and secret values between a video source application and a video hardware interface
US7237116B1 (en) 2000-01-19 2007-06-26 International Business Machines Corporation Digital signature system and method based on hard lattice problem
US20030028423A1 (en) * 2000-03-24 2003-02-06 Neff C. Andrew Detecting compromised ballots
US20060085647A1 (en) * 2000-03-24 2006-04-20 Neff C A Detecting compromised ballots
US7099471B2 (en) * 2000-03-24 2006-08-29 Dategrity Corporation Detecting compromised ballots
DE60114833T2 (de) * 2000-03-24 2006-04-13 Dategrity Corp., Bellevue Überprüfbare, geheime mischung von verschlüsselten daten wie z. b. elgamal-verschlüsselte daten für gesicherte mehrinstanzwahlen
US7389250B2 (en) 2000-03-24 2008-06-17 Demoxi, Inc. Coercion-free voting scheme
JP2002190945A (ja) * 2000-10-12 2002-07-05 Canon Inc 情報処理装置及びその制御方法及び記憶媒体
EP1371169A2 (fr) * 2001-02-20 2003-12-17 Votehere Inc. Detection de bulletins de vote compromis
JP3659178B2 (ja) * 2001-02-22 2005-06-15 日本電信電話株式会社 分散ディジタル署名作成方法及び装置及び分散ディジタル署名付ディジタル文書作成方法及び装置及び分散ディジタル署名作成プログラム及び分散ディジタル署名作成プログラムを格納した記憶媒体
CA2441304C (fr) * 2001-03-24 2005-05-31 Votehere, Inc. Melanges secrets verifiables et leur application au vote electronique
MXPA02011835A (es) * 2001-03-29 2003-10-06 Matsushita Electric Ind Co Ltd Sistema de proteccion de datos que proteje datos al encriptar los datos.
ES2278047T3 (es) * 2001-04-27 2007-08-01 Betrusted Ireland Limited Sistema y procedimiento para procesar un secreto compartido.
FR2825877B1 (fr) * 2001-06-12 2003-09-19 Canal Plus Technologies Procede de controle d'acces a un programme crypte
US7287156B2 (en) * 2001-06-29 2007-10-23 International Business Machines Corporation Methods, systems and computer program products for authentication between clients and servers using differing authentication protocols
CN1207867C (zh) * 2001-09-28 2005-06-22 中国科学院研究生院 一种安全的数字签名系统及其数字签名方法
JP3997085B2 (ja) * 2001-12-28 2007-10-24 キヤノン株式会社 画像生成装置
US7349538B2 (en) * 2002-03-21 2008-03-25 Ntt Docomo Inc. Hierarchical identity-based encryption and signature schemes
US7979712B2 (en) * 2002-07-01 2011-07-12 International Business Machines Corporation Network system, server and information terminal for list matching
KR100936606B1 (ko) * 2002-10-02 2010-01-13 엘지전자 주식회사 냉장고의 메탈 플레이트 제조 방법
JP2005140823A (ja) * 2003-11-04 2005-06-02 Sony Corp 情報処理装置、制御方法、プログラム、並びに記録媒体
US7698557B2 (en) * 2003-12-22 2010-04-13 Guardtime As System and method for generating a digital certificate
CN100393034C (zh) * 2004-04-30 2008-06-04 北京航空航天大学 一种应用于组播通信系统中的源认证方法
JP4748774B2 (ja) * 2004-06-02 2011-08-17 キヤノン株式会社 暗号化通信方式及びシステム
US20050273609A1 (en) * 2004-06-04 2005-12-08 Nokia Corporation Setting up a short-range wireless data transmission connection between devices
WO2005122049A2 (fr) * 2004-06-07 2005-12-22 Dategrity Corporation Systemes et procedes cryptographiques, notamment verification d'intentions pratiques de grande certitude, par exemple pour des votes cryptes dans le cadre d'une election electronique
US8151348B1 (en) * 2004-06-30 2012-04-03 Cisco Technology, Inc. Automatic detection of reverse tunnels
US7512237B1 (en) 2004-10-26 2009-03-31 Lockheed Martin Corporation Encryption for optical communications using dynamic subcarrier multiplexing
US7536016B2 (en) * 2004-12-17 2009-05-19 Microsoft Corporation Encrypted content data structure package and generation thereof
EP1884059A2 (fr) * 2005-05-13 2008-02-06 Temple University of the Commonwealth System of Higher Education Technique de partage de secrets avec faible contenu d'information de service
US20070143216A1 (en) * 2005-12-16 2007-06-21 Benaloh Josh D Data Signal with a Database and a Compressed Key
US10303783B2 (en) * 2006-02-16 2019-05-28 Callplex, Inc. Distributed virtual storage of portable media files
US8996586B2 (en) * 2006-02-16 2015-03-31 Callplex, Inc. Virtual storage of portable media files
JP4304215B2 (ja) * 2007-03-23 2009-07-29 株式会社東芝 秘密分散装置、方法及びプログラム
JP4334582B2 (ja) * 2007-06-26 2009-09-30 株式会社東芝 秘密分散装置、方法及びプログラム
US8151333B2 (en) * 2008-11-24 2012-04-03 Microsoft Corporation Distributed single sign on technologies including privacy protection and proactive updating
US9124423B2 (en) * 2010-05-14 2015-09-01 International Business Machines Corporation Iterative data secret-sharing transformation
JP5379914B2 (ja) * 2010-07-23 2013-12-25 日本電信電話株式会社 秘密分散システム、分散装置、分散管理装置、取得装置、秘密分散方法、プログラム、及び記録媒体
US8914635B2 (en) * 2011-07-25 2014-12-16 Grey Heron Technologies, Llc Method and system for establishing secure communications using composite key cryptography
ES2959510T3 (es) 2011-10-21 2024-02-26 Icu Medical Inc Sistema de actualización de dispositivos médicos
US9092780B2 (en) * 2012-02-13 2015-07-28 PivotCloud, Inc. User-mediator monitoring and controlling access to electronic content
EP3021518B1 (fr) * 2013-08-22 2018-04-18 Nippon Telegraph And Telephone Corporation Système d'authentification sécurisée multipartite, serveur d'authentification, serveur intermédiaire, procédé d'authentification sécurisée multipartite et programme
EP3039596A4 (fr) 2013-08-30 2017-04-12 Hospira, Inc. Système et procédé de surveillance et de gestion d'un régime de perfusion à distance
US9539383B2 (en) 2014-09-15 2017-01-10 Hospira, Inc. System and method that matches delayed infusion auto-programs with manually entered infusion programs and analyzes differences therein
US10333696B2 (en) 2015-01-12 2019-06-25 X-Prime, Inc. Systems and methods for implementing an efficient, scalable homomorphic transformation of encrypted data with minimal data expansion and improved processing efficiency
US10505723B1 (en) 2017-04-26 2019-12-10 Wells Fargo Bank, N.A. Secret sharing information management and security system
WO2020027758A2 (fr) 2018-08-03 2020-02-06 Istanbul Teknik Universitesi Systèmes et procédés de génération de clés partagées, d'authentification d'identité et de transmission de données reposant sur la transmission simultanée par des canaux sans fil à accès multiples
CN110321735B (zh) * 2019-04-29 2021-04-13 山东工商学院 基于零知识证明的业务办理方法、系统及存储介质
NZ782916A (en) * 2019-05-08 2024-02-23 Icu Medical Inc Threshold signature based medical device management
EP3767511B1 (fr) * 2019-07-19 2021-08-25 Siemens Healthcare GmbH Exécution sécurisée de mises à jour de données de paramètres
CN116506232B (zh) * 2023-06-28 2023-10-10 南京畅洋科技有限公司 基于信道编码的大容量物联网隐蔽信道构建方法

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0502712B1 (fr) * 1991-03-05 2000-05-31 Canon Kabushiki Kaisha Dispositif de calcul et méthode de chiffrement/déchiffrement de données de communication en faisant usage de celui-ci
US5276737B1 (en) * 1992-04-20 1995-09-12 Silvio Micali Fair cryptosystems and methods of use
IL102394A (en) * 1992-07-02 1996-08-04 Lannet Data Communications Ltd Method and apparatus for secure data transmission
US5469507A (en) * 1994-03-01 1995-11-21 International Business Machines Corporation Secure communication and computation in an insecure environment
US5553145A (en) * 1995-03-21 1996-09-03 Micali; Silvia Simultaneous electronic transactions with visible trusted parties

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
ADVANCES IN CRYPTOLOGY - CRYPTO '89. PROCEEDINGS, SANTA BARBARA, CA, USA, 20-24 AUG. 1989, ISBN 3-540-97317-6, 1990, BERLIN, WEST GERMANY, SPRINGER-VERLAG, WEST GERMANY, pages 286-298, XP002018655 CHI-SUNG LAIH ET AL: "Dynamic threshold scheme based on the definition of cross-product in an N-dimensional linear space" *
ADVANCES IN CRYPTOLOGY - CRYPTO '91. PROCEEDINGS, SANTA BARBARA, CA, USA, 11-15 AUG. 1991, ISBN 3-540-55188-3, 1992, BERLIN, GERMANY, SPRINGER-VERLAG, GERMANY, pages 457-469, XP000269043 DESMEDT Y ET AL: "Shared generation of authenticators and signatures" *
IEEE INFOCOM '92: CONFERENCE ON COMPUTER COMMUNICATIONS. ELEVENTH ANNUAL JOINT CONFERENCE OF THE IEEE COMPUTER AND COMMUNICATIONS SOCIETIES (CAT. NO.92CH3133-6), FLORENCE, ITALY, 4-8 MAY 1992, ISBN 0-7803-0602-3, 1992, NEW YORK, NY, USA, IEEE, USA, pages 2045-2054 vol.3, XP000300331 DESMEDT Y ET AL: "Multi-receiver/multi-sender network security: efficient authenticated multicast/feedback" *
IEICE TRANSACTIONS ON FUNDAMENTALS OF ELECTRONICS, COMMUNICATIONS AND COMPUTER SCIENCES, APRIL 1993, JAPAN, vol. E76-A, no. 4, ISSN 0916-8508, pages 532-545, XP000378281 CERECEDO M ET AL: "Efficient and secure multiparty generation of digital signatures based on discrete logarithms" *

Also Published As

Publication number Publication date
US5708714A (en) 1998-01-13
EP0695056B1 (fr) 2005-05-11
DE69534192D1 (de) 2005-06-16
CA2154970C (fr) 1999-07-27
KR0148300B1 (ko) 1998-08-17
CA2154970A1 (fr) 1996-01-30
KR960006385A (ko) 1996-02-23
HK1011809A1 (en) 1999-07-16
ATE295644T1 (de) 2005-05-15
EP0695056A3 (fr) 1997-05-21
DE69534192T2 (de) 2006-02-16

Similar Documents

Publication Publication Date Title
US5708714A (en) Method for sharing secret information and performing certification in a communication system that has a plurality of information processing apparatuses
EP0735723B1 (fr) Procédé et dispositif de communication cryptographique
US5313521A (en) Key distribution protocol for file transfer in the local area network
US5907618A (en) Method and apparatus for verifiably providing key recovery information in a cryptographic system
US5124117A (en) Cryptographic key distribution method and system
Shoup et al. Securing threshold cryptosystems against chosen ciphertext attack
US6298153B1 (en) Digital signature method and information communication system and apparatus using such method
EP0916209B1 (fr) Systeme de recuperation de cles de chiffrement
CN111342976B (zh) 一种可验证的理想格上门限代理重加密方法及系统
US6697488B1 (en) Practical non-malleable public-key cryptosystem
US11870891B2 (en) Certificateless public key encryption using pairings
US7200752B2 (en) Threshold cryptography scheme for message authentication systems
US7171559B1 (en) Method of exchanging digital data
US9544144B2 (en) Data encryption
EP1366594A2 (fr) Schema cryptographique a seuil destine a des systemes d'authentification de message
US7080255B1 (en) Secret key generation method, encryption method, and cryptographic communications method and system
US20220038267A1 (en) Methods and devices for secured identity-based encryption systems with two trusted centers
US6724893B1 (en) Method of passing a cryptographic key that allows third party access to the key
JPH0846607A (ja) 複数の情報処理装置を有する通信システムにおける秘密情報処理方法及びその通信システム
JP3610106B2 (ja) 複数の装置を有する通信システムにおける認証方法
AU702563B2 (en) A method for sharing secret information, generating a digital signature, and performing certification in a communication system that has a plurality of information processing apparatuses and a communication system that employs such a method
JP2004246350A (ja) 暗号化装置および復号化装置、並びにこれらを備えた暗号システム、暗号化方法および復号化方法
Hwang Scheme for secure digital mobile communications based on symmetric key cryptography
Abe et al. A key escrow scheme with time-limited monitoring for one-way communication
JPH08204697A (ja) 複数の装置を有する通信システムにおける署名生成方法

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): AT BE CH DE DK ES FR GB GR IT LI LU NL SE

PUAL Search report despatched

Free format text: ORIGINAL CODE: 0009013

AK Designated contracting states

Kind code of ref document: A3

Designated state(s): AT BE CH DE DK ES FR GB GR IT LI LU NL SE

17P Request for examination filed

Effective date: 19971002

17Q First examination report despatched

Effective date: 20021204

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): AT BE CH DE DK ES FR GB GR IT LI LU NL SE

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: NL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20050511

Ref country code: LI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20050511

Ref country code: IT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRE;WARNING: LAPSES OF ITALIAN PATENTS WITH EFFECTIVE DATE BEFORE 2007 MAY HAVE OCCURRED AT ANY TIME BEFORE 2007. THE CORRECT EFFECTIVE DATE MAY BE DIFFERENT FROM THE ONE RECORDED.SCRIBED TIME-LIMIT

Effective date: 20050511

Ref country code: CH

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20050511

Ref country code: BE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20050511

Ref country code: AT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20050511

REG Reference to a national code

Ref country code: GB

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: CH

Ref legal event code: EP

REF Corresponds to:

Ref document number: 69534192

Country of ref document: DE

Date of ref document: 20050616

Kind code of ref document: P

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LU

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20050726

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20050811

Ref country code: GR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20050811

Ref country code: DK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20050811

REG Reference to a national code

Ref country code: HK

Ref legal event code: GR

Ref document number: 1011809

Country of ref document: HK

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: ES

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20050822

NLV1 Nl: lapsed or annulled due to failure to fulfill the requirements of art. 29p and 29m of the patents act
REG Reference to a national code

Ref country code: CH

Ref legal event code: PL

PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

ET Fr: translation filed
26N No opposition filed

Effective date: 20060214

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: FR

Payment date: 20110804

Year of fee payment: 17

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: GB

Payment date: 20110726

Year of fee payment: 17

Ref country code: DE

Payment date: 20110731

Year of fee payment: 17

GBPC Gb: european patent ceased through non-payment of renewal fee

Effective date: 20120726

REG Reference to a national code

Ref country code: FR

Ref legal event code: ST

Effective date: 20130329

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: FR

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20120731

Ref country code: DE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20130201

Ref country code: GB

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20120726

REG Reference to a national code

Ref country code: DE

Ref legal event code: R119

Ref document number: 69534192

Country of ref document: DE

Effective date: 20130201